Network configuration predictive analytics engine

ABSTRACT

A mechanism associated with a network management system (NMS) interprets and predicts the impact on a network of a network configuration change proactively. By providing pre-configuration analysis in this manner, a network administrator can determine the potential effect of the proposed configuration change in advance of actually inserting a configuration command in the network that might otherwise have unforeseen and damaging consequences. The technique is implemented using a predictive analytics engine that receives a proposed network command and, using a current network topology, executes the command against one or more NMS algorithms to verify that the command can be implemented safely.

BACKGROUND OF THE INVENTION

1. Technical Field

This disclosure relates generally to network management tools.

2. Background of the Related Art

Maintaining the proper operation of various types of computerizedservices is usually an important but difficult task. Serviceadministrators are often called upon to react to a service failure byidentifying the problem which caused the failure and then taking stepsto correct the problem. To avoid wasting resources investigating thewrong problems, administrators must make accurate assessments as to thecauses of failures. Because substantial time and resources are oftenrequired, administrators must also make accurate decisions as to when toallocate resources to the tasks of identifying problems and fixing them.

A number of network management tools are available to assistadministrators in completing these tasks. Network management systemsdiscover, model and maintain knowledge bases of network devices andtheir connectivity, and provide mechanisms to actively monitor thenetwork proactively to identify network problems. IBM® Tivoli® Netcool®is a suite of applications that allow network administrators to monitoractivity on networks, to log and collect network events, includingnetwork occurrences such as alerts, alarms, or other faults, and thenreport them to network administrators in graphical and text-basedformats. Using such tools, administrators are able to observe networkevents on a real-time basis and respond to them more quickly. Suchsystems also typically include network service monitors of various typeswhich measure performance of a network so that, among other things,network resources can be shifted as needed to cover outages. A system ofthis type may also include a configuration management tool to automatenetwork configuration and change management tasks. This enables networkoperators and administrators to enhance network security by controllingaccess by users, devices and commands, maintain the real-time state ofthe network, and automate routine configuration management tasks.

While these tools provide significant advantages, fault managementoccurs after-the-fact, i.e., after the issue or incident has alreadyoccurred and for the purpose of minimizing the damage already done.Indeed, root cause analysis, although sophisticated, is designed todrive recovery automation and related approval processes beforecorrective commands are inserted into the affected network element(e.g., a router or switch). The problem with this approach is that thecorrective action itself may cause new problems. For example, a networkmanagement tool may suggest a corrective course of action, such asinstructing a network engineer to open a port when the result of thataction causes a broadcast packet storm that then floods the network withpackets and interrupts other services. When the corrective action itselfcauses new issues, further operational costs and network downtime oftenresult.

There remains a need in the art to provide new techniques for networkmanagement that addresses these and other deficiencies in the known art.

BRIEF SUMMARY

This disclosure describes a technique and system to provide a predictivemechanism that interprets and predicts the impact on the network of anetwork configuration change proactively, preferably based on one ormore of: an awareness of the network topology, configuration commandhistory, and network analytics. By providing pre-configuration analysisin this manner, a network administrator can determine the potentialeffect of the proposed configuration change in advance of actuallyinserting a configuration command in the network that might otherwisehave unforeseen and damaging consequences. In a representativeembodiment, a predictive analytics engine (PAE) receives and stores acurrent network status. That status is updated periodically andcontinuously such that a current view of the network topology isavailable to the engine. Following a network incident, a proposedconfiguration command is entered in the predictive analytics engine andan analysis executed. If, based on the analysis, the engine determinesthat the configuration command may be executed safely, an indication tothis effect is provided and/or the command is issued to the affecteddevice or system. The predictive analytics engine then receives anupdate from the network device and validates that the correction (asrepresented by the configuration command) was successful. If, however,based on the analysis the engine determines that the configurationcommand may not be executed safely, the engine alerts the administratorand/or makes a recommendation about an alternative course of action toaddress the incident.

The foregoing has outlined some of the more pertinent features of theinvention. These features should be construed to be merely illustrative.Many other beneficial results can be attained by applying the disclosedinvention in a different manner or by modifying the invention as will bedescribed.

BRIEF DESCRIPTION OF THE DRAWINGS

For a more complete understanding of the present invention and theadvantages thereof, reference is now made to the following descriptionstaken in conjunction with the accompanying drawings, in which:

FIG. 1 depicts an exemplary block diagram of a distributed dataprocessing environment in which exemplary aspects of the illustrativeembodiments may be implemented;

FIG. 2 is an exemplary block diagram of a data processing system inwhich exemplary aspects of the illustrative embodiments may beimplemented;

FIG. 3 illustrates a known network management system;

FIG. 4 illustrates how the network management system in FIG. 3 respondsto an alarm to generate a root cause analysis and an automated recoveryprocess;

FIG. 5 depicts a block diagram of predictive network management approachaccording to this disclosure;

FIG. 6 depicts a block diagram of the predictive analytics engine in oneembodiment; and

FIG. 7 depicts a process flow of the predictive network managementapproach of this disclosure.

DETAILED DESCRIPTION OF AN ILLUSTRATIVE EMBODIMENT

With reference now to the drawings and in particular with reference toFIGS. 1-2, exemplary diagrams of data processing environments areprovided in which illustrative embodiments of the disclosure may beimplemented. It should be appreciated that FIGS. 1-2 are only exemplaryand are not intended to assert or imply any limitation with regard tothe environments in which aspects or embodiments of the disclosedsubject matter may be implemented. Many modifications to the depictedenvironments may be made without departing from the spirit and scope ofthe present invention.

The Client-Server Model

With reference now to the drawings, FIG. 1 depicts a pictorialrepresentation of an exemplary distributed data processing system inwhich aspects of the illustrative embodiments may be implemented.Distributed data processing system 100 may include a network ofcomputers in which aspects of the illustrative embodiments may beimplemented. The distributed data processing system 100 contains atleast one network 102, which is the medium used to provide communicationlinks between various devices and computers connected together withindistributed data processing system 100. The network 102 may includeconnections, such as wire, wireless communication links, or fiber opticcables.

In the depicted example, server 104 and server 106 are connected tonetwork 102 along with storage unit 108. In addition, clients 110, 112,and 114 are also connected to network 102. These clients 110, 112, and114 may be, for example, personal computers, network computers, or thelike. In the depicted example, server 104 provides data, such as bootfiles, operating system images, and applications to clients 110, 112,and 114. Clients 110, 112, and 114 are clients to server 104 in thedepicted example. Distributed data processing system 100 may includeadditional servers, clients, and other devices not shown.

In the depicted example, distributed data processing system 100 is theInternet with network 102 representing a worldwide collection ofnetworks and gateways that use the Transmission ControlProtocol/Internet Protocol (TCP/IP) suite of protocols to communicatewith one another. At the heart of the Internet is a backbone ofhigh-speed data communication lines between major nodes or hostcomputers, consisting of thousands of commercial, governmental,educational and other computer systems that route data and messages. Ofcourse, the distributed data processing system 100 may also beimplemented to include a number of different types of networks, such asfor example, an intranet, a local area network (LAN), a wide areanetwork (WAN), or the like. As stated above, FIG. 1 is intended as anexample, not as an architectural limitation for different embodiments ofthe disclosed subject matter, and therefore, the particular elementsshown in FIG. 1 should not be considered limiting with regard to theenvironments in which the illustrative embodiments of the presentinvention may be implemented.

With reference now to FIG. 2, a block diagram of a data processingsystem is shown in which illustrative embodiments may be implemented.Data processing system 200 is an example of a computer, such as server104 or client 110 in FIG. 1, in which computer-usable program code orinstructions implementing the processes may be located for theillustrative embodiments. In this illustrative example, data processingsystem 200 includes communications fabric 202, which providescommunications between processor unit 204, memory 206, persistentstorage 208, communications unit 210, input/output (I/O) unit 212, anddisplay 214.

Processor unit 204 serves to execute instructions for software that maybe loaded into memory 206. Processor unit 204 may be a set of one ormore processors or may be a multi-processor core, depending on theparticular implementation. Further, processor unit 204 may beimplemented using one or more heterogeneous processor systems in which amain processor is present with secondary processors on a single chip. Asanother illustrative example, processor unit 204 may be a symmetricmulti-processor system containing multiple processors of the same type.

Memory 206 and persistent storage 208 are examples of storage devices. Astorage device is any piece of hardware that is capable of storinginformation either on a temporary basis and/or a permanent basis. Memory206, in these examples, may be, for example, a random access memory orany other suitable volatile or non-volatile storage device. Persistentstorage 208 may take various forms depending on the particularimplementation. For example, persistent storage 208 may contain one ormore components or devices. For example, persistent storage 208 may be ahard drive, a flash memory, a rewritable optical disk, a rewritablemagnetic tape, or some combination of the above. The media used bypersistent storage 208 also may be removable. For example, a removablehard drive may be used for persistent storage 208.

Communications unit 210, in these examples, provides for communicationswith other data processing systems or devices. In these examples,communications unit 210 is a network interface card. Communications unit210 may provide communications through the use of either or bothphysical and wireless communications links.

Input/output unit 212 allows for input and output of data with otherdevices that may be connected to data processing system 200. Forexample, input/output unit 212 may provide a connection for user inputthrough a keyboard and mouse. Further, input/output unit 212 may sendoutput to a printer. Display 214 provides a mechanism to displayinformation to a user.

Instructions for the operating system and applications or programs arelocated on persistent storage 208. These instructions may be loaded intomemory 206 for execution by processor unit 204. The processes of thedifferent embodiments may be performed by processor unit 204 usingcomputer implemented instructions, which may be located in a memory,such as memory 206. These instructions are referred to as program code,computer-usable program code, or computer-readable program code that maybe read and executed by a processor in processor unit 204. The programcode in the different embodiments may be embodied on different physicalor tangible computer-readable media, such as memory 206 or persistentstorage 208.

Program code 216 is located in a functional form on computer-readablemedia 218 that is selectively removable and may be loaded onto ortransferred to data processing system 200 for execution by processorunit 204. Program code 216 and computer-readable media 218 form computerprogram product 220 in these examples. In one example, computer-readablemedia 218 may be in a tangible form, such as, for example, an optical ormagnetic disc that is inserted or placed into a drive or other devicethat is part of persistent storage 208 for transfer onto a storagedevice, such as a hard drive that is part of persistent storage 208. Ina tangible form, computer-readable media 218 also may take the form of apersistent storage, such as a hard drive, a thumb drive, or a flashmemory that is connected to data processing system 200. The tangibleform of computer-readable media 218 is also referred to ascomputer-recordable storage media. In some instances,computer-recordable media 218 may not be removable.

Alternatively, program code 216 may be transferred to data processingsystem 200 from computer-readable media 218 through a communicationslink to communications unit 210 and/or through a connection toinput/output unit 212. The communications link and/or the connection maybe physical or wireless in the illustrative examples. Thecomputer-readable media also may take the form of non-tangible media,such as communications links or wireless transmissions containing theprogram code. The different components illustrated for data processingsystem 200 are not meant to provide architectural limitations to themanner in which different embodiments may be implemented. The differentillustrative embodiments may be implemented in a data processing systemincluding components in addition to or in place of those illustrated fordata processing system 200. Other components shown in FIG. 2 can bevaried from the illustrative examples shown. As one example, a storagedevice in data processing system 200 is any hardware apparatus that maystore data. Memory 206, persistent storage 208, and computer-readablemedia 218 are examples of storage devices in a tangible form.

In another example, a bus system may be used to implement communicationsfabric 202 and may be comprised of one or more buses, such as a systembus or an input/output bus. Of course, the bus system may be implementedusing any suitable type of architecture that provides for a transfer ofdata between different components or devices attached to the bus system.Additionally, a communications unit may include one or more devices usedto transmit and receive data, such as a modem or a network adapter.Further, a memory may be, for example, memory 206 or a cache such asfound in an interface and memory controller hub that may be present incommunications fabric 202.

Computer program code for carrying out operations of the presentinvention may be written in any combination of one or more programminglanguages, including an object-oriented programming language such asJava, Smalltalk, C++ or the like, and conventional proceduralprogramming languages, such as the “C” programming language or similarprogramming languages. The program code may execute entirely on theuser's computer, partly on the user's computer, as a stand-alonesoftware package, partly on the user's computer and partly on a remotecomputer, or entirely on the remote computer or server. In the latterscenario, the remote computer may be connected to the user's computerthrough any type of network, including a local area network (LAN) or awide area network (WAN), or the connection may be made to an externalcomputer (for example, through the Internet using an Internet ServiceProvider).

Those of ordinary skill in the art will appreciate that the hardware inFIGS. 1-2 may vary depending on the implementation. Other internalhardware or peripheral devices, such as flash memory, equivalentnon-volatile memory, or optical disk drives and the like, may be used inaddition to or in place of the hardware depicted in FIGS. 1-2. Also, theprocesses of the illustrative embodiments may be applied to amultiprocessor data processing system, other than the SMP systemmentioned previously, without departing from the spirit and scope of thedisclosed subject matter.

As will be seen, the techniques described herein may operate inconjunction within the standard client-server paradigm such asillustrated in FIG. 1 in which client machines communicate with anInternet-accessible Web-based portal executing on a set of one or moremachines. In such an approach, end users operate Internet-connectabledevices (e.g., desktop computers, notebook computers, Internet-enabledmobile devices, or the like) that are capable of accessing andinteracting with the portal. Typically, each client or server machine isa data processing system such as illustrated in FIG. 2 comprisinghardware and software, and these entities communicate with one anotherover a network, such as the Internet, an intranet, an extranet, aprivate network, or any other communications medium or link. A dataprocessing system typically includes one or more processors, anoperating system, one or more applications, and one or more utilities.The applications on the data processing system provide native supportfor Web services including, without limitation, support for HTTP, SOAP,XML, WSDL, UDDI, and WSFL, among others. Information regarding SOAP,WSDL, UDDI and WSFL is available from the World Wide Web Consortium(W3C), which is responsible for developing and maintaining thesestandards; further information regarding HTTP and XML is available fromInternet Engineering Task Force (IETF). Familiarity with these standardsis presumed.

In the alternative, the techniques described herein may operate within astandalone data processing system, or within the context of a “cloud”environment wherein computing resources are shared among a number ofentities.

Network Management

Referring now to FIG. 3, a conceptual view of a network managementsystem 300 is illustrated. Without meant to be limiting, each of thecomponents shown in this drawing may be implemented in one or moremachines, systems, devices, programs, processes, execution threads, andthe like. Typically, a machine is a data processing system such as shownin FIG. 2, and the identified functionality is implemented in one ormore software routines executed on hardware elements. One or more of thecomponents may be remotely-located from one another, and components maybe offered as a service in a SaaS-based or other cloud-compute deliverymodel.

The network management system 300 generally comprises a visualizationlayer 312, a data layer 314, and a network layer 316. The visualizationlayer 312 typically provides topology visualization 318 and eventvisualization 320. Using topology visualization 318, network operatorsmay use a number of topology visualization GUIs to view the network andto drill into network devices. Topology maps may be fully customized toshow specific devices, or to show specific device groupings, such assubnets and virtual LANs (“VLANs”). Operators may switch from topologyviews to alert views to see alert details for affected devices. They mayalso have access to diagnostic tools, such as topology browsers, whichmay obtain IP data for any device. Using event visualization 320,operators may view alert lists and use alert severity ratings to quicklyidentify high priority device alerts. They may switch from alert viewsto topology views to see which devices are affected by specific alerts.They may also identify root-cause alerts and list the symptom alertsthat may contribute to the root cause. Alerts may be generated by anetwork manager monitoring mechanism, or they may be received from othernetwork management systems or mechanisms.

The data layer 314 typically includes topology storage 322, root-causeanalysis (RCA) 324, and event storage 326. Topology storage 322 mayinclude a topology database, also known as a Network Connectivity andInventory Model (“NCIM”). This topology database may include arelational database to consolidate topology data from other devices andsystem. Root-cause analysis 324 is used to determine the root cause ofone or more device alerts. A failure situation on the network maygenerate multiple alerts. This is because a failure condition on onedevice may render other devices inaccessible. Alerts may be generated toindicate that all of these devices are inaccessible. The networkmanagement system may perform root cause analysis by correlating eventinformation with topology information to determine which devices aretemporarily inaccessible due to other network failures. Alerts ondevices which are temporarily inaccessible may be suppressed or shown assymptoms of the original root-cause alert. Root-cause alerts also may beshown in alert lists and topology maps with identified severity levelsso that operators can easily identify them. Event and alert data arestored in event storage device 326.

The network layer 316 typically includes a monitoring module 328 and adiscovery module 330. The monitoring module 328 enables networkadministrators to configure polling of discovered network devices. Suchpolls may indicate whether a network device is up or down, whether ithas exceeded key performance parameters, and/or whether links betweendevices may be faulty. If a poll fails, the network management system310 may generate a device alert, which operators may view in alertlists. The discovery module 330 enables network administrators togenerate a network topology. This topology typically is stored in thetopology database 322, and it may be visualized by network operators astopology maps. Such topology maps may be customized to show specificdevices or specific device groupings, such as subnets and VLANs. Inoperation, the discovery module 330 collects raw IP data to detectexistence of a device on the network, and it may query the device forfurther inventory and connectivity information. The module 320 processesthe raw IP data, inventory and connectivity information to generate atopology model.

A representative network management system is available commercially asIBM® Tivoli® Network Manager™ IP Edition. As described above, thissystem actively monitors the network to identify and potentially addressnetwork problems. The system may include a web-enabled or otheradministrative/management interface to enable monitoring and viewing ofmanagement data, a policy engine to configure and manage policies to beapplied with respect to the network or particular network devices, aperformance management tool to collect performance data and generatereports, a configuration manager to automate network configuration andchange management tasks, control over network device access and networkpolicy compliance, and a flow-based network traffic analysis system thatprovides a detailed view of resource usage in networked ITinfrastructures.

FIG. 4 illustrates a typical model for post-incident assessment andcorrection according to the prior art. In this approach, the networkmanagement system 400 includes the components shown in FIG. 3. Inresponse to an alarm (step 1) from the network 402, the networkmanagement system 400 traps the alarm and performs root cause analysis(step 2). The network management system then performs an automatic orautomated recovery process (step 3) to attempt to address the problemthat generated the alarm. In this approach, as has been described, acorrective action (e.g., updating a router or switch with a newconfiguration) may then be undertaken. The effect of the correction,however, may address the problem that caused the alarm; however, thecorrection also may have other unintended consequences on the network orvarious devices thereon.

Network Configuration Predictive Analysis Engine

With the above background, the subject matter of this disclosuredescribes a predictive approach to network management that enables anadministrator to formulate a proposed corrective action in response to anetwork event, and to analyze an impact of that action on the networkbefore deploying that action. Unlike the post-configuration analysisapproach of the prior art, the disclosed technique provide forpre-configuration analysis to ensure that proposed configuration changesdo not create new problems. In a particular embodiment, the techniqueprovides an administrator the ability to predict or interpret theresponse of a network device prior to inserting a configuration commandinto that device. The pre-configuration analysis approach of thisdisclosure may be used in any network management system, and withrespect to any network device, system, program or process.

To this end, the described operation is provided in a networkconfiguration predictive analysis engine (PAE). This nomenclature ismerely for purposes of explanation and should not be taken as limiting.Without limitation, the predictive analysis engine is implemented incomputer software executing on one or more processors or processingdevices. Depending on implementation, the computer software typicallycomprises one or more computer programs, one or more processes, one ormore execution threads, etc., and associated data and data structures.The programs and data are held in computer memory.

FIG. 5 illustrates a representative operation of the networkconfiguration predictive analytics engine 505, which is positionedbetween network management system 500 and the network 502 that is beingmanaged by that system. Although the drawing illustrates the predictiveanalytics engine 505 as being distinct from the network managementsystem 500, this is not a limitation, as the engine may be integratedwith or otherwise a component of the network management system. In thealternative, the engine may be operated as a distinct and separateoperating component, and may be either co-located or remote from thenetwork management system and/or the network itself. In this operation,at step 0, the engine 505 receives update information from one or morenetwork devices. Typically, the update information includes, withoutlimitation, configuration status, routing table data, operationalstatus, and the like). In a preferred embodiment, the engine 505receives the update information extracted from the configuration as aresult of a programmatic command line interface (CLI) query to thedevice. In the alternative, the device pushes its configuration data tothe engine on a periodic basis, or asynchronously. Based on the receivedconfiguration data, the engine 505 builds a topology of the network (ora given portion of the network) at the time of the update. Preferably,the updates are received at (or otherwise provided to) the engineperiodically and continuously so that the engine has a substantiallyreal-time “view” of the network topology.

In this manner, the predictive analytics engine (or one or morecomponents thereof) discover, model and maintain a knowledgebase of thenetwork (and the various devices thereof) and, in particular, itstopology and operational state.

Referring back to FIG. 5, at step 1, it is assumed that the networkmanagement system has received an alert or alarm indicative of a networkevent that needs to be addressed. As noted above, network managementsystems actively monitor the network to respond to network problems,e.g., by issuing alarms, providing root cause analysis andvisualizations, performing automated recovery, and the like. The networkmanagement system thus is adapted and/or configured to manually or inautomated manner generate a network command. The network command or,more generally, the configuration command, typically provides controlsignaling and related data to address a particular problem or type ofproblem that has been found (by the network management system) to havetriggered the alert or alarm. The nature of the command will varydepending on the implementation but also on the type of problem that hasbeen assessed by the network management system. Thus, for example, analarm may indicate that a network switch is looping after a particularnetwork interface is activated; the recommended action is such case maybe to check whether a given service (STP) is enabled on the affectedport. The network management system may then recommend that the networkengineer issue a “no shut” command to address the issue. In anotherexample, an address conflict alarm may be raised indicating that thenetwork has been identified by an unknown router; in such case, thenetwork management system may recommend checking the network againstexisting router tables. The network management system may then recommendthat the network engineer issue an OSPF command to the router. Ofcourse, these are just representative examples.

Referring back to FIG. 5, the predictive analytics engine receives theproposed network command and performs an analysis. The predictiveanalytics engine in effect “executes” the command internally anddetermines the effect or impact of such execution. In this manner, theengine simulates how the network will respond to the network commandgiven its current topology and operating state. Without intending to belimiting, preferably the analytics engine performs this simulation basedon one of more of the following data or data types: awareness of thenetwork topology, configuration command history, and network analytics.As a result of executing the network command (preferably within theengine itself), the engine determines an outcome. If the enginedetermines that the network command is likely to (or will) cause a newnetwork event (e.g., an incident, an alarm, or the like), the enginereturns an indication to this effect back to the network managementsystem. The nature of this indication will depend on the implementation,and it may be provided programmatically or other means, such as e-mail,text message, web page updates, or the like. In general, the engineflags the potential new network event and may also provide the networkmanagement system with an action or recommendation. The action orrecommendation will depend on the implementation and the scope andnature of the potential problem that has been identified by theanalytics engine. The decision to return an alarm or recommendation backto the network management system may be based on a configurablethreshold of severity, or based on other factors, such as time-of-day,identification of the network device expected to be affected, devicelocation, data potentially impacted, or the like. If, on the other hand,the engine determines (based on the simulation) that the network commandis valid (or likely valid), e.g., based on a configurable threshold ofvalidity, the engine provides the network command to the network device.This is step 3. At step 4, the network device receives an update fromthe network device. This information is then validated at step 5 and, ifvalid, applied to the existing state information stored by the engine.

FIG. 6 illustrates a representative predictive analytics engine 600.Although the engine is illustrated with distinct components, one ofordinary skill in the art will appreciate that this component-based ormodule-based is not meant to be limiting. One or more of the componentsshown in the drawing may be combined, and one or more components may beexecuted remotely from one another. As noted above, the engine 600stores the current network status, preferably in a database 604 that isshared by the components. Preferably, the engine has the full topologyof the network (or, at the very least, that portion of the network thatis to be analyzed) extracted from the configuration and in response to aCLI query to the device. As noted above, this data in the alternativemay be pushed from the network device to the engine. The particularmechanism by which such configuration data is supplied is not limited,although preferably the data is refreshed frequently, such as hourly ordaily. Frequent update of the state data ensures that the network statusis up-to-date to avoid lack of integrity issues.

The main processing components of the engine comprise a commandprocessor 602, a policy algorithm module 606, a set of individual NMSalgorithm modules 608-624, and a security algorithm module 626. Eachcomponent comprises its own algorithm to process the incoming commandand output any necessary warning or action recommendation. The command601 is received by the engine and routed by the command processor 602 toone or more of the algorithm modules, depending on the type and scope ofthe command. One network command may be passed to more than one networkalgorithm module. The modules use the database 604 as their base toperform the required analysis. The database includes network topologyinformation, as well as the data required by each particular module forits processing. Thus, more generally, the database 604 is a knowledgedatabase (or knowledgebase). The policy algorithm module 606 and thesecurity algorithm module 626 are provided as needed to ensure that thecommand is both compliant with one or more security policies and/orconstraints. The remaining algorithms provide context-specific NMSoperations; as noted above, whether a particular module is implicateddepends on the network command. Thus, in many cases only one or severalof the modules will be implicated by the network command and executed todetermine whether the network command will impact the network. Thus,module 608 checks to determine whether a command directed to change arouter configuration is OSPF compliant. Module 610 checks for BGPcompliance. Module 612 verifies the network command against a spanningtree algorithm to determine potential effects of implementing thecommand against the current network topology. In like manner and, asnecessary, module 614 verifies the command complies with respect toIS-IS protocol issues, while module 616 verifies the command withrespect to multiprotocol label switching (MPLS). Module 618 checks todetermine the impact of the command on current virtual LAN (VLAN)configurations. Module 620 checks for MPLS Layer 2 VPN compliance, whilemodule 622 checks for MPLS Layer 3 VPN compliance. The IP multicastalgorithm module 624 checks to verify whether any applicable networkcommand executes correctly with respect to any such algorithm that mightbe implicated by the command.

The particular NMS algorithms identified in FIG. 6 are known, and otherNMS algorithms and processes may be substituted or mayaugment/supplement those that are shown in the example engine 600. Ofcourse, the particular NMS functions to be analyzed against the networkcommand 601 may be quite varied and will depend on the nature of theanalysis sought to be carried out proactively according to thetechniques herein. As a result of applying the analysis, an output 628is generated. As previously described, this output may simply be thenetwork command being passed to the network or network device. This is adefault operation when the result(s) of executing the network commandindicate that the command can be executed safely or validly (typicallywithin some margin of configurable error). If, however, one or more ofthe modules indicates the possibility of a new problem (as a result ofexecuting the command 601), the output 628 may be an alarm, an alarmtogether with a recommended change to the command, or just arecommendation. The output 628 may be provided in a machine-readableformat and is then communicated back to the network management system.

The above-described operation of the predictive analytics engine helpsto detect issues before the command is injected into the network (andapplied to individual network devices thereon). Because the networkcommand is analyzed within a particular context (i.e., by the specificalgorithm that may be affected), the analysis provides a logical anduseful result, typically in the form of a warning and/or recommendationthat are then acted upon (either manually or programmatically). Theoutput 628 also may be provided (e.g., to the network engineer orothers) visually and/or aurally.

Generalizing, one or more components or functions of the predictiveanalytics engine is implemented in computer software executing on one ormore processors or processing devices. Depending on implementation, thecomputer software typically comprises one or more computer programs, oneor more processes, one or more execution threads, etc., and associateddata and data structures. The programs and data are held in computermemory.

FIG. 7 is a process flow illustrating the operation of the engine inmore detail. The routine begins at step 700. At step 702, input(s) fromone or more (and preferably all) network devices in the topology arecollected. Although not meant to be limiting, data is retrieved via arequest/response query initiated from the engine (or NMS), or data ispushed to the engine (or NMS) from the network device. At step 704, theanalytics engine generates a knowledgebase that includes thethen-current topology and related information describing the networkconfiguration. The knowledgebase also may include other data, such ashistorical configuration data, historical incident data, configurationcommand history, details regarding how each module (in FIG. 6) performsprediction calculations, and other network or performance analytics anddata. During step 704, which may be continuous, the engine builds itsactive knowledge of the network topology. At step 706, a new command isreceived by the analytics engine. The command is then analyzed by theengine at step 708; as described above, this operation triggersexecution of one or more processing modules (each preferably analyzing aparticular algorithm). At step 710, a test is performed to determinewhether the analysis generated an alarm. If so, the routine branches tostep 712 to check the command. The result of step 712 may be that thecommand is discarded, amended, supplemented or otherwise augmented toaddress the alarm/warning issued in step 710. If the result of the testat step 710 indicates that the network command (perhaps as modified viathe loop through step 712) is valid (or safe), the routine continues atstep 714. At this step the engine inputs the command into one or morenetwork devices (such as a router or switch). The routine then continuesat step 716 to check the result of applying/executing the commandagainst the one or more network devices. Thus, another test is performedat step 718 to determine whether the network command has triggered orraised any new alarm or warning. If so, the routine branches to step720. At step 720, input from the network device is obtained and suppliedback to the knowledgebase. This input typically will reflect a fault orfailure condition. If, however, the result of the test at step 718indicates no alarm or warning, the routine ends at step 722.

The following are representative use cases. These use cases should notbe taken to limit this disclosure. In a first use case, an alarmindicates that a switch is looping after an interface (e.g., GigabitEthernet 3/1) is activated. A recommended action (provided by the NMS)is to check whether STP is enabled on the port. Without the PAE, thenetwork engineer might simply issue a command such as “no shut,” butthat command may result in a broadcast store in the network, wherein thenetwork would then be flooded with packets and services are interrupted.To avoid that outcome, the network command is first verified through aspanning tree algorithm (by module 612) before being injected into theimpacted switch. In a second use case, the alarm is an address conflictand the recommended corrective action is a router configuration change,such as “network 10.1.1.0|0.0.0.255.”Before that command is issued,however, the PAE engages its OSPF algorithm module for analysis actionand verification. In each case, after the analysis, the PAE will outputan alarm, or an alarm and recommendation, or allow the network commandto execute against the network, as has been previously described.

The disclosed subject matter provides significant advantages. A majoradvantage is that the described approach interprets and predicts theimpact of network configuration commands proactively. This approachobviates most post-configuration analysis because it affords the networkmanager an opportunity to modify a network command before that commandis actually used based on real-world impact on the then-current networktopology and state. It enables the user to anticipate possible issuesthat might arise due to incorrect or inappropriate network configurationcommands being entered by the network management system. By using thetechnique, network operational costs are significantly reduced, as theanalytics engine preferably only releases the network command if thatcommand can be executed safely. As a consequence, further network issuesor downtime (that might arise as a result of the original fix) areavoided. In operation, the analytics engine preferably checks everynetwork command for its validity, and it raises an appropriatealarm/warning for an operation if the command is anticipated to causeother network issues.

Many variants are within the scope of this disclosure. Thus, forexample, there may be multiple analytics engines providing theservice(s) described herein, e.g., in a cloud-compute environment. AnNMS may use a third party predictive analytics engine. The output of theengine may be logged and used for other management, compliance, auditingor reporting purposes.

As noted, the functionality described above may be implemented as astandalone approach, e.g., a software-based function executed by aprocessor, or it may be available as a managed service (including as aweb service via a REST or SOAP/XML interface). The particular hardwareand software implementation details described herein are merely forillustrative purposes are not meant to limit the scope of the describedsubject matter.

More generally, computing devices within the context of the disclosedsubject matter are each a data processing system (such as shown in FIG.2) comprising hardware and software, and these entities communicate withone another over a network, such as the Internet, an intranet, anextranet, a private network, or any other communications medium or link.The applications on the data processing system provide native supportfor Web and other known services and protocols including, withoutlimitation, support for HTTP, FTP, SMTP, SOAP, XML, WSDL, SAML, Liberty,Shibboleth, OpenID, WS-Federation, Cardspace, WS-Trust, UDDI, and WSFL,among others. Information regarding SOAP, WSDL, UDDI and WSFL isavailable from the World Wide Web Consortium (W3C), which is responsiblefor developing and maintaining these standards; further informationregarding HTTP, FTP, SMTP and XML is available from Internet EngineeringTask Force (IETF). Familiarity with these known standards and protocolsis presumed.

The scheme described herein may be implemented in or in conjunction withvarious server-side architectures other than cloud-basedinfrastructures. These include, without limitation, simple n-tierarchitectures, web portals, federated systems, and the like.

As the above examples illustrate, one or more of the described functionsmay be hosted within or external to the cloud.

Still more generally, the subject matter described herein can take theform of an entirely hardware embodiment, an entirely software embodimentor an embodiment containing both hardware and software elements. In apreferred embodiment, the workflow recording and playback functions areimplemented in software, which includes but is not limited to firmware,resident software, microcode, and the like. The data can be configuredinto a data structure (e.g., an array, a linked list, etc.) and storedin a data store, such as computer memory. Furthermore, as noted above,the recording and playback functionality described herein can take theform of a computer program product accessible from a computer-usable orcomputer-readable medium providing program code for use by or inconnection with a computer or any instruction execution system. For thepurposes of this description, a computer-usable or computer readablemedium can be any apparatus that can contain or store the program foruse by or in connection with the instruction execution system,apparatus, or device. The medium can be an electronic, magnetic,optical, electromagnetic, infrared, or a semiconductor system (orapparatus or device). Examples of a computer-readable medium include asemiconductor or solid state memory, magnetic tape, a removable computerdiskette, a random access memory (RAM), a read-only memory (ROM), arigid magnetic disk and an optical disk. Current examples of opticaldisks include compact disk-read only memory (CD-ROM), compactdisk-read/write (CD-R/W) and DVD. The computer-readable medium is atangible item.

The computer program product may be a product having programinstructions (or program code) to implement one or more of the describedfunctions. Those instructions or code may be stored in a computerreadable storage medium in a data processing system after beingdownloaded over a network from a remote data processing system. Or,those instructions or code may be stored in a computer readable storagemedium in a server data processing system and adapted to be downloadedover a network to a remote data processing system for use in a computerreadable storage medium within the remote system.

In a representative embodiment, the predictive analytics enginecomponents are implemented in a special purpose computer, preferably insoftware executed by one or more processors. The associatedknowledgebase is stored in an associated data store. The software alsois maintained in one or more data stores or memories associated with theone or more processors, and the software may be implemented as one ormore computer programs.

The analytics function referenced herein may be implemented as anadjunct or extension to an existing network management system, accessmanager or policy management solution. The described functionality maycomprise a component of an NMS solution.

While the above describes a particular order of operations performed bycertain embodiments of the invention, it should be understood that suchorder is exemplary, as alternative embodiments may perform theoperations in a different order, combine certain operations, overlapcertain operations, or the like. References in the specification to agiven embodiment indicate that the embodiment described may include aparticular feature, structure, or characteristic, but every embodimentmay not necessarily include the particular feature, structure, orcharacteristic.

Finally, while given components of the system have been describedseparately, one of ordinary skill will appreciate that some of thefunctions may be combined or shared in given instructions, programsequences, code portions, and the like.

Any application or functionality described herein may be implemented asnative code, by providing hooks into another application, byfacilitating use of the mechanism as a plug-in, by linking to themechanism, and the like.

Having described our invention, what we now claim is as follows.

1. A method of network management, comprising: receiving data from oneor more network devices in a network being managed; using the data togenerate and store, in a data store, a representation of a topology ofat least a portion of the network; receiving a command, the commandhaving been generated in response to an occurrence in the network; andanalyzing the command against the topology to determine an expectedeffect of executing the command in the network; wherein the analyzingstep is carried out at least in part in a hardware element.
 2. Themethod as described in claim 1 further including repeating the receivingdata step so as to maintain current the representation of the topology.3. The method as described in claim 1 wherein the data is received inresponse to a command line interface query to the one or more networkdevices.
 4. The method as described in claim 1 wherein the command is anetwork configuration command that is generated in response to an alarmin the network.
 5. The method as described in claim 1 wherein theanalyzing step is carried out against an algorithm selected from a setof algorithms associated with network management system (NMS) functions.6. The method as described in claim 1 further including generating analarm if the expected effect is a subsequent incident.
 7. The method asdescribed in claim 1 further including passing the command to thenetwork if the expected effect is that the command will executesuccessfully.